Verify Signed Kubernetes Artifacts

FEATURE STATE: Kubernetes v1.26 [beta]

Before you begin

You will need to have the following tools installed:

Verifying binary signatures

The Kubernetes release process signs all binary artifacts (tarballs, SPDX files, standalone binaries) by using cosign’s keyless signing. To verify a particular binary, retrieve it together with its signature and certificate:

  1. URL=https://dl.k8s.io/release/v1.30.0/bin/linux/amd64
  2. BINARY=kubectl
  3. FILES=(
  4. "$BINARY"
  5. "$BINARY.sig"
  6. "$BINARY.cert"
  7. )
  8. for FILE in "${FILES[@]}"; do
  9. curl -sSfL --retry 3 --retry-delay 3 "$URL/$FILE" -o "$FILE"
  10. done

Then verify the blob by using cosign verify-blob:

  1. cosign verify-blob "$BINARY" \
  2. --signature "$BINARY".sig \
  3. --certificate "$BINARY".cert \
  4. --certificate-identity krel-staging@k8s-releng-prod.iam.gserviceaccount.com \
  5. --certificate-oidc-issuer https://accounts.google.com

Note:

Cosign 2.0 requires the --certificate-identity and --certificate-oidc-issuer options.

To learn more about keyless signing, please refer to Keyless Signatures.

Previous versions of Cosign required that you set COSIGN_EXPERIMENTAL=1.

For additional information, please refer to the sigstore Blog

Verifying image signatures

For a complete list of images that are signed please refer to Releases.

Pick one image from this list and verify its signature using the cosign verify command:

  1. cosign verify registry.k8s.io/kube-apiserver-amd64:v1.30.0 \
  2. --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
  3. --certificate-oidc-issuer https://accounts.google.com \
  4. | jq .

Verifying images for all control plane components

To verify all signed control plane images for the latest stable version (v1.30.0), please run the following commands:

  1. curl -Ls "https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/stable.txt)/release" \
  2. | grep "SPDXID: SPDXRef-Package-registry.k8s.io" \
  3. | grep -v sha256 | cut -d- -f3- | sed 's/-/\//' | sed 's/-v1/:v1/' \
  4. | sort > images.txt
  5. input=images.txt
  6. while IFS= read -r image
  7. do
  8. cosign verify "$image" \
  9. --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
  10. --certificate-oidc-issuer https://accounts.google.com \
  11. | jq .
  12. done < "$input"

Once you have verified an image, you can specify the image by its digest in your Pod manifests as per this example:

  1. registry-url/image-name@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2

For more information, please refer to the Image Pull Policy section.

Verifying Image Signatures with Admission Controller

For non-control plane images (for example conformance image), signatures can also be verified at deploy time using sigstore policy-controller admission controller.

Here are some helpful resources to get started with policy-controller:

Verify the Software Bill Of Materials

You can verify the Kubernetes Software Bill of Materials (SBOM) by using the sigstore certificate and signature, or the corresponding SHA files:

  1. # Retrieve the latest available Kubernetes release version
  2. VERSION=$(curl -Ls https://dl.k8s.io/release/stable.txt)
  3. # Verify the SHA512 sum
  4. curl -Ls "https://sbom.k8s.io/$VERSION/release" -o "$VERSION.spdx"
  5. echo "$(curl -Ls "https://sbom.k8s.io/$VERSION/release.sha512") $VERSION.spdx" | sha512sum --check
  6. # Verify the SHA256 sum
  7. echo "$(curl -Ls "https://sbom.k8s.io/$VERSION/release.sha256") $VERSION.spdx" | sha256sum --check
  8. # Retrieve sigstore signature and certificate
  9. curl -Ls "https://sbom.k8s.io/$VERSION/release.sig" -o "$VERSION.spdx.sig"
  10. curl -Ls "https://sbom.k8s.io/$VERSION/release.cert" -o "$VERSION.spdx.cert"
  11. # Verify the sigstore signature
  12. cosign verify-blob \
  13. --certificate "$VERSION.spdx.cert" \
  14. --signature "$VERSION.spdx.sig" \
  15. --certificate-identity krel-staging@k8s-releng-prod.iam.gserviceaccount.com \
  16. --certificate-oidc-issuer https://accounts.google.com \
  17. "$VERSION.spdx"